<p>If a JSON Web Token (JWT) is not signed with a strong cipher algorithm (or not signed at all) an attacker can forge it and impersonate user
identities.</p>
<ul>
  <li> Don’t use <code>none</code> algorithm to sign or verify the validity of a token. </li>
  <li> Don’t use a token without verifying its signature before. </li>
</ul>
<h2>Noncompliant Code Example</h2>
<p>Using <a href="https://github.com/jwtk/jjwt">jwtk/Java JWT</a> library (to verify a signed token (containing a JWS) don’t use the
<code>parse</code> method as it doesn’t throw an exception if an unsigned token is provided):</p>
<pre>
// Signing:
io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.
  .setSubject(USER_LOGIN)
  .compact();
// Verifying:
io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
</pre>
<p>Using <a href="https://github.com/auth0/java-jwt">auth0/Java JWT</a> library:</p>
<pre>
// Signing:
com.auth0.jwt.JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.
// Verifying:
JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant
  .withSubject(LOGIN)
  .build();
</pre>
<h2>Compliant Solution</h2>
<p>Using <a href="https://github.com/jwtk/jjwt">Java JWT</a> library (to verify a signed token (containing a JWS) use the <code>parseClaimsJws</code>
method that will throw an exception if an unsigned token is provided):</p>
<pre>
// Signing:
Jwts.builder() // Compliant
  .setSubject(USER_LOGIN)
  .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
  .compact();
// Verifying:
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
</pre>
<p>Using <a href="https://github.com/auth0/java-jwt">auth0/Java JWT</a> library. I</p>
<pre>
// Signing:
JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant
// Verifying:
JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant
  .withSubject(LOGIN)
  .build();
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">OWASP Top 10 2021 Category A2</a> - Cryptographic Failures </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
  </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/347.html">MITRE, CWE-347</a> - Improper Verification of Cryptographic Signature </li>
</ul>

